Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Problematic DMZ and Exchange configuration

Hi all,

I'm trying to build a standard inside/dmz/outside configuration with an ASA 5510 (running 8.3) to support testing an MS Exchange server 2010, where the hub role is on a box on the inside network ( and the edge role is on a server in the dmz (

My difficulties are as follows:

1) All traffic seems to be blocked between dmz and inside.  For example, DNS (UDP 53) is not working for the mail edge server when it looks for DNS servers on the inside.

2) TCP port 50636 also needs to be open between inside and dmz for the ADAM service to work.  I'm getting errors regarding an asymmetrical NAT issue denying that traffic -- perhaps because source and dest ports are different for this traffic?

3) Connectivity to/from the outside appears to be failing also.  I do not appear to be able to connect to the http or https services of the edge server using its public IP from an outside source.

Here is my running config:

ASA Version 8.3(2)
hostname test
enable password zzzzzzzzzzzzzzzzzz encrypted
passwd zzzzzzzzzzzzzzz encrypted
interface Ethernet0/0
description Outside
nameif outside
security-level 0
ip address
interface Ethernet0/1
description DMZ
nameif dmz
security-level 10
ip address
interface Ethernet0/2
description Inside
nameif inside
security-level 100
ip address
interface Ethernet0/3
no nameif
no security-level
no ip address
boot system disk0:/asa832-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
object network NAT_inside-dmz
description NAT between inside and dmz
object network NAT_publicmail-inside
description NAT for public mail IP
object network staticPAT
description Static PAT for dmz mail server
object network Mail-public-NAT
description Static NAT between mail edge server in dmz and outside
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service ADAM tcp
description LDAP over SSL for ADAM
port-object eq 50636
access-list outside_access_in extended permit tcp any host object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip interface inside
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu dmz 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any dmz
icmp permit any inside
asdm image disk0:/asdm-633.bin
no asdm history enable
arp timeout 14400
object network NAT_inside-dmz
nat (inside,dmz) static
object network NAT_publicmail-inside
nat (dmz,inside) static
object network Mail-public-NAT
nat (dmz,outside) static
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 5
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh dmz
ssh timeout 15
console timeout 15
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username person1 password zzzzzzzzzzzzzzzzzzzzz encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
prompt hostname context
profile CiscoTAC-1
  no active
  destination address http
  destination address email
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end

Any help to clear up some of these issues and steer me in the right direction would be vey gratefully received.



Everyone's tags (6)
Cisco Employee

Re: Problematic DMZ and Exchange configuration

Hi Gavin,

Are you sure you want to translate addresses for communication between the inside network and the DMZ? Since they are both private networks, you don't necessarily need to configure any NAT between these interfaces (there is no 'nat-control' in ASA 8.3 like there was in previous versions). The hosts should be able to communicate using their internal/private addresses just fine.

You would also need to configure an access-list in the inbound direction on the DMZ interface if the server in the DMZ will initiate any of these connections, such as:

access-list dmz_access_in permit ip host host

access-group dmz_access_in in interface dmz

As for problem #3, this is caused by an incorrect ACL entry. In ASA 8.3, you need to use the real/local IP address in the access-list rather than the mapped/global IP like you would do in pre-8.3 configs. Your ACL should look like this:

access-list outside_access_in extended permit tcp any host object-group DM_INLINE_TCP_1

Hope that helps.


New Member

Re: Problematic DMZ and Exchange configuration

Thanks for your assistance, Mike.  Your suggestions helped somewhat, though I still found that i had no communication between inside and dmz until I reinstated a static NAT between them (no IP translation, just a NAT rule).

I've still to iron out some other bits and pieces, but I'm certainly closer, and I thank you for helping me with that.

-- Gavin

CreatePlease to create content